Bitcoin Forum

The sad story....  I generated vanity addresses* (online) for two wallets to easily keep them separate.  Moved them into MultiBit and locked the wallets with a 14 character LastPass generated password. 

I did NOT break from the internet when I combined the vanity secret keys.

The next morning MultiBit showed a transfer out of 5 coins to an unrecognized address, the transfer took place two hours after I left the computer. 

I have all of the normal security, e.g. behind a router, Norton firewall and virus protection.  I did have both Flash and Java on the machine.  They are gone now!

I believe two factor would have been my only protection.  Are there any offline wallets with two factor?  I am installing Armory now.

Until someone writes an easily useable, safe, wallet Bitcoin is going to be held back.  I thought I was being more conservative moving my coins out of Coinbase.  Guess not since they use two factor.

I would love to know how it was done.  There should be a centeralized reporting place to see if there are similar problems with specific websites.

*https://bitcoinvanity.appspot.com/  < the site I used.  I am NOT accusing them!

Blockchain.info has 2 factor auth and a second password to spend funds, so it's pretty secure, but I know a lot of people don't trust keeping coins online, but as you found out storing them on your computer isn't fully safe either.

Store your coins in your own bitcoin-qt wallet with a pass phrase. You can import your vanity addresses into it and you don't rely on others to provide security.

You should do a virus scan with a different virus scanner than you are using, like the Kaspersky rescue cd (http://support.kaspersky.co.uk/4162) because it looks like you are infected.

I was about to get a vanity address :S. Guess not now..

I would never trust vanity addresses, just so dodgy :-\

Offline storage is the safest way to go  :)

Sorry to hear your loss.
You should have downloaded Vanitygen and run it offline instead.

I don't trust these vanity address creaters or paper wallets. Do everything like this offline and only start with a small bit of funds being sent.

I am not sure about other programs, but vanitygen is open-source and you can get the source here.
https://github.com/samr7/vanitygen

This. There are ways to safely generate a Vanity address, one being doing it yourself or buying an address from a vanitygen  pool which uses Privkey and Pubkey. However using a vanitygen pool will cost you a bit (click (https://vanitypool.appspot.com/))

Vanitygen is safe and has been around for a while now.

Agree with bitcoininformation.  ;)
Oops, it seems like bitcoininformation agrees with me indeed lol  :D

I meant like online website ones.

I feel sorry for the loss. Maybe you had a hidden trojan somewhere on your pc. Be careful what you download of the internet.

Use the QT. Quit relying on others to provide security for you.

Then you have to be VERY careful about your programs etc. Just use blockchain.info's wallet service.

So far bitcoin-qt is the best. Just use that wallet and nothing else..

In which case you STILL have to be VERY careful about your programs etc.

blockchain.info's service is just a wallet that runs in your browser.  Any program that can steal your bitcoins from a wallet running on your computer can steal bitcoins from blockchain.info's service.

Exactly.

If you have a trojan/keylogger on your computer, your bitcoin will be stolen, no matter you are using bitcoin-qt, electrum, multibit, bc.i online wallet, or using exchanges / gambling sites to keep your bitcoin.

That's why you should never download a random file or click a random link, and you should better use a offline wallet to store your bitcoin. :D

Just like to bump this, exact same thing happened to me after using https://bitcoinvanity.appspot.com

I imported the new address into blockchain.info and secured with 2FA and email login approval.  7 BTC lost withdrawn to a random address over the past weekend. 

The only conclusion I can come to is that bitcoinvanity.appspot.com has been hacked, I note that nibors last post on 31 Dec 2013 is:

"Currently off-line due to hack - no bets lost though. Will update later."

This is regarding the sister site www.pinballcoin.com

Im pretty sure my mac has not been compromised, only install files from the app store and I have other wallets that are fine, just this one created via bitcoinvanity.

Expensive lesson for me to try and shortcut running the open source myself but hopefully someone else doesn't make the same mistake.

Why need those vanity address. You are just creating another hole to your security. QT is enough and use a new clean install pc with only antivirus on it besides bitcoin and never use it other than storing your bitcoins.

I realise that and the loss of 7 BTC has been an expensive lesson.  Hopefully this is a warning to others, would be nice to be 100% certain that it is due to that website that I have lost the coins though

It may sound a bit harsh but it's your own fault. I have advised a legit, secure and good working vanity pool above...
I don't know how legit bitcoinvanity.appspot.com is, but it doesn't seem secure if you ask me. You don't need to create extra randomness to get a vanity address. I don't even know how that would help.

I do feel bad for you. Losing 7BTC sucks.

My bet would be on the vanity site you used, because your other wallets are fine.

I couldn't agree more, and to be honest Ive no excuse other than I was too impatient to run the software myself

IF your other wallets are fine then it's a good chance that the problem was with the website.

This is a sad situation.  It is hard enough for cryptocurrencies to gain legitimacy without all of the BS that scammers pull.  I had a similar situation with bitlaunder.com.  All of my coins have evaporated and the owner of the site, while he has finally contacted me back called me absurd. 

Checkout my original post here: https://bitcointalk.org/index.php?topic=453671.0

Is there an email address or other way we can bombard the site you used with emails.  If we all can come together, help and support each other, we can maybe drive some of this BS out of the equation.

***UPDATE***

Mr. Moriarty just got in touch with me. 

I have to say that he is in the process of making things right with me.  He owed me .3234 BTC.  After a couple of back and forth emails, we agreed to the following.  I would remove the negative rating and he would deposit .20 BTC in my account.  Which he has done.  Further, once I update the posts I have made and let folks know the outcome, he will then release the balance of .1234 BTC to me.

After having talked with Mr. Moriarty, I was informed that somehow my account was hacked.  He does seem to be quite busy working to contain the situation.  The fact that he is reimbursing me out of his own pocket, in my opinion, does speak volumes to this man's character.

Bitlaunder.com seems to be making the effort to correct things.

this story is unfortunate

Indeed, someone has accused the site stole bitcoin from users back in Aug 2013.
FYR: https://bitcointalk.org/index.php?topic=278769.0

I don't know why this didn't pop up when I initially researched the site. Just lost 2.3+ BTC today to this site.

I made a reddit post on this topic.

You can upvote it here if you're so inclined: http://www.reddit.com/r/Bitcoin/comments/1y7upu/bitcoinvanityappspotcom_is_not_secure_and/

Sad to hear your loss...
BTW, if you did a google search with "bitcoinvanity", you will find the thread I linked in my last post.

Yeah - not sure why, but Google buried the results below the official threads and other unrelated sites when I looked prior to using it.

I've looked through the site and can't find any abuse contact info; in fact their TOS doesn't have anything about no abuse allowed. Irresponsible to allow unfettered content from anony users and have no abuse contact. Possibly the most efficient way to have it killed is to have someone with any copyright standing for any similar code (or that used behind the scenes such as vanitygen) issue a DMCA takedown request, which Google will have to comply with to maintain safe harbor.

How many people (average joe not tech mad) have a spare PC laying around doing nothing?!

Maybe a very old pc or laptop?

Don't let anyone create an address for you, they will have a copy of your private key! If you don't exclusively own the private key you don't own the coins!

Install Ubuntu OS, install Bitcoin-QT, encrypt your wallet with a password after making it, use that OS for nothing else but accessing your coins. (It'll even install on the same hard drive as windows if you don't have two PCs.) If you want to use an alt-coin wallet make another user account and keep them separated!

http://www.ubuntu.com/download
https://bitcoin.org/en/download

Vanity addresses are safe if they are generated in the right way. Yes, even if multiple people work on it.

Sorry to hear that.  Pretty much never let someone else generate a private key for you.  You can just run vanitygen on your own computer if you reaaaly need one.

Where can I get a compiled, trusted, windows version of vanitygen?   All I find is the code.

Just get a Vanity address, import it into Blockchain, and then have them 'sweep' the address for you into a non-vanity address. That way your coins are not compromised, because they are never in the vanity address long enough to be cleaned out, yet you're still able to use the address.

Bitcoin Info, would you please go into this a little more or point me somewhere?  I though if anyone else generated your vanity that they would have the private keys to it.  Is the solution the "sweep" approach?

Thanks!

The method is explained clearly in the following post.
FYR: https://bitcointalk.org/index.php?topic=81865.msg901491#msg901491